Skip copying CIDs to SSL transforms until CID feature is complete
This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.
While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
decryption.
Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index af8bfde..c558a84 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -956,11 +956,14 @@
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
- transform->in_cid_len = ssl->own_cid_len;
- transform->out_cid_len = ssl->handshake->peer_cid_len;
- memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
- memcpy( transform->out_cid, ssl->handshake->peer_cid,
- ssl->handshake->peer_cid_len );
+
+ /* Uncomment this once CID-parsing and support for a change
+ * record content type during record decryption are added. */
+ /* transform->in_cid_len = ssl->own_cid_len; */
+ /* transform->out_cid_len = ssl->handshake->peer_cid_len; */
+ /* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
+ /* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
+ /* ssl->handshake->peer_cid_len ); */
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
transform->out_cid_len );